Share Episode ⸺ Episode Sponsor: Incident.io - https://dev0ps.fyi/incidentio Elise, VP and Head of UX at Unleash, joins us to talk all about UX. Self identifying as probably "The annoying lady in the room" and a career spanning nearly 30 years—starting before "UX" was even a job title — joins us to dismantle the idea that User Experience is just ab…

Digitale Dienstleistungen und Angebote sind aus dem Alltag nicht mehr wegzudenken. Von reiner Informationsvermittlung bis zur KI-Interaktion: Das Web ist unser ständiger Begleiter. Was aber tun all jene Menschen, die aufgrund von körperlichen oder geistigen Beeinträchtigungen nur bedingt oder im schlimmsten Fall gar nicht am Netz teilhaben können?D…

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/about this event: https://c3voc.deBy OWASP German Chapter

OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a c…

Der Kurzvortrag stellt den aktuellen Stand der OWASP Top 10:2025 vor, mit etwas Glück haben wir bis dahin schon mehr...Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/about this event: https://c3voc.deBy Torsten Gigler

Der Cyber Resilience Act, kurz CRA, ist eine neue Verordnung der EU und tritt im Dezember 2027 vollständig in Kraft. Das Kernelement der Verordnung ist die Softwaresicherheit für alle so genannten „Produkte mit digitalen Elementen“, die auf dem EU-Markt kommerziell angeboten werden. Diese umfassen sowohl vernetzte Hardware-Produkte, in denen Firmwa…

Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresse…

As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland.Depending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to expla…

Coding Assistants wie Github Copilot, Cursor oder Claude versprechen einen Effizienzboost für die Softwareentwicklung. Doch welchen Einfluss hat die Nutzung dieser Tools auf die Software Security?Dieser Vortrag analysiert die Vor- und Nachteile von Coding Assistants in Hinblick auf die Sicherheit des entstehenden Codes. Er gibt einen Überblick über…

We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk.Licensed …

Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, bu…

Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controll…

Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?),…

Apple CarPlay is a widely known protocol that connects smartphones to car multimedia systems. Based on AirPlay, CarPlay is installed in millions of cars, as it is supported by hundreds of car models from dozens of different manufacturers across the globe. In our talk, we will share how we managed to exploit all devices running CarPlay using a singl…

Threat modeling stands at a critical juncture. While essential for creating secure systems, it remains mostly manual, handcrafted, and often too slow for today's development cycles. At the same time, automation and AI offer new levels of speed and scalability— but how much can we rely on them?This talk explores the tension between automation and hu…

In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects.We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enable…

WebAuthn was supposed to replace swords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach…

The future of authentication is passwordless - Passkeys are the key technology. This talk supports developers in implementing Passkeys in their organizations and helps with the decision between in-house development, SDK, or Passkey-as-a-Service solutions. You will learn how to design recovery flows and fallback mechanisms in a user-friendly way, ho…

The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations.This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerab…

Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung v…

Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps appr…

Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts.While it is desirable to standardize invoice data formats, the EU standards have severe p…

Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck.In this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At…

With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effe…

Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-ro…

Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/about this event: https://c3voc.deBy OWASP German Chapter

Share Episode ⸺ Episode Sponsor: Incident.io - https://dev0ps.fyi/incidentio Warren is joined by Olga Kundzich, Co-founder and CTO of Moderne, to discuss the reality of technical debt in modern software engineering. Olga reveals a shocking statistic: without maintenance, cloud-native applications often cease to function within just six months. And …

Die deutsche Verkehrspolitik ist seit Jahrzehnten geprägt von einer autozentrierten Sichtweise, die gesellschaftlich tief verankert und medial normalisiert ist. Während die Wissenschaft längst auf die Grenzen dieses Modells hinweist – ökologisch, gesundheitlich, wirtschaftlich – wird die öffentliche Debatte auch hier in Lübeck oft emotional, ideolo…

Die Todesmärsche aus den Konzentrationslagern im April 1945 am Beispiel des Sachsenhausener Todesmarsches. Vortrag mit Originalfotos und Zeichnungen und Zitaten der überlebenden KZ-Häftlinge. Wie erging es den gefangenen Menschen? Wie hat sich die deutsche Bevölkerung verhalten, als die Märsche in die Dörfer und Städte kamen? Die Nights of Open Kno…

Neuronale Netze (DNNs) wie ChatGPT findet man dank ihrer guten Performanz inzwischen in vielerlei Bereichen, nicht nur im privaten sondern auch in ethisch relevanten Anwendungsgebieten wie medizinische Diagnostik und autonomem Fahren. Gleichzeitig werden Stimmen laut, dass die Entscheidungen von DNNs nachvollziehbar, und die genutzte KI „transparen…

Wie wichtig sauberes Wasser ist, ist wohl uns allen klar. Aber was tun wir, wenn die Süßwasservorräte zur Neige gehen und es immer weniger Regenfälle gibt?„Atmospheric Water Harvesting“ (AWH) kann dem aktuellen und in Zukunft nur noch wachsenden Problem des Wassermangels etwas entgegensetzen. AWH ist die Technologie zur Wassergewinnung aus der Luft…

Veränderung ist schwer. Gemeinsam geht es besser. Aber wie konkret?Das Format: 6–12 Menschen treffen sich ein halbes Jahr lang jede Woche für eineinhalb Stunden.Das Ziel: Eine neue Fähigkeit erlernen.Wie startet man? Wie motiviert man sich auf der Reise? Welche Tools machen das Erreichen des Ziels wahrscheinlicher? Und was sind die Stolpersteine?Di…

In diesem Jahr jährt sich der Abschluss des Pariser Klimaabkommens bereits zum zehnten Mal. Fragt man nach den Auswirkungen, die die globalen Bemühungen um mehr Klimaschutz seitdem erzielt haben, fällt die Antwort niederschmetternd aus: 2024 war das erste Jahr, in dem die Oberflächentemperatur auf der Erde mehr als 1,5 °C über dem Niveau des vorind…

Wir alle verwenden quelloffene Software, ob über bewusste Entscheidung oder durch Integration in gängigen Produkten. Sie erlaubt Einblicke in ihre Funktionsweise und Entwurfsmuster. Doch wer schaut sich Code näher an?Neben Programmierkenntnissen in der jeweils genutzten Sprache benötigt es Übung, sich in fremden Projekten zurechtzufinden. Projektst…

Für uns in Schleswig-Holstein spielt das Meer eine besondere Rolle. Land und Leute sind stark mit Nord- und Ostsee verbunden und für viele sind sie die Existenzgrundlage, sei es durch Schifffahrt, Fischerei oder Tourismus. Darüber hinaus sind Meere und Ozeane enorm wichtig für das Klima, z. B. als Kohlenstoffspeicher. Aus unterschiedlichen Gründen …

As GodotFest 25 comes to a close, we’ll wrap up the conference with final thoughts, highlights from the past two days, and thank everyone who made this event possible.We’ll celebrate the amazing talks, workshops, and connections made throughout the conference, recognize our sponsors and volunteers, and look forward to the future of the Godot commun…

Godot has grown from a community passion project into a real alternative for professional studios. The 4.x series brought the technical groundwork — a modern renderer, new architecture, and steady performance improvements — that make larger productions viable. Now the next milestones aren’t just in the engine itself but in the surrounding ecosystem…

While working on Dome Keeper and PVKK over the past year and a half, people often ask me what I love most about Godot. My answer is always the same: productivity. In this talk I'll discuss why Productivity is even more important for indie game development than many realize and what makes Godot so good at it IF you know how to harness it. I’ll share…

Ready to unlock the next level of your Godot development? Just like New Game+ adds exciting features to enhance replay value, adding backend capabilities transforms your games from single-player experiences into connected, community-driven platforms. In this talk, we'll explore how to level up your Godot projects with robust backend features like r…

Unlock the **secrets of interactive music** in Godot and learn how to bridge the gap between game developers and audio creators. In this session you will discover how to use adaptive scores to transform your _gameplay_, boost the _immersion_, _replayability_, and _emotional impact_ of your project through **adaptive audio**. Covering all the _basic…

Many Godot developers push mobile to the end of their roadm - if they consider it at all. The common pattern: build for desktop, ship on Steam or itch, and think about mobile later if the project takes off. In this talk, we’ll explore how and why developers should start thinking about mobile earlier in their process.Mobile represents the largest ga…

The age-old wisdom for adding multiplayer to a complex single player game is: Don't.This talk will cover how we added mixed local and online multiplayer to an existing codebase of tens of thousands of lines of GDScript and how you can think about systems in your game to do the same.Licensed to the public under https://creativecommons.org/licenses/b…

As the last of the "big 3" engines still lacking an officially-supported FMOD integration plugin, Godot offers a unique working environment for sound designers and composers utilizing FMOD. In this talk, I would like to explore the advantages and disadvantages this presented when making music and SFX as a one-man audio department for the roguelike …

This talk explores the powerful capabilities and practical challenges of working with Godot’s tilemap system, drawing from real-world experience building an open world game. From optimization techniques that keep large worlds running smoothly to the underutilized Scene Tiles feature, you’ll learn how to leverage tilemaps beyond basic level design. …

2D games often struggle to match the visual appeal of 3D games, since they can't use common lighting techniques. However, these effects can be created with quite simple shaders, and they perform much better than the 3D counterparts.In this talk, I will share the lighting techniques I have implemented for my game, Blastronaut, including the new 2D r…

A talk aimed at non-artists that covers "how to art direct". We will cover basics like lighting, colors and shape language. But also teach how to stylize, what the difference between a moodboard and a reference board is and just general art knowledge that will be helpful for programmers, gamedesigners and leveldesigners.Licensed to the public under…